Network Detective Inspector User Guide

Transcription

Network Detective Inspector User Guide
Network Detective
Inspector Software Appliance
User Guide
© 2016 RapidFire Tools, Inc. All rights reserved
20160520 – Ver 3R
Network Detective™
Inspector Software Appliance
Contents
Overview ................................................................................................................................................. 3
Components of the Inspector Software Appliance ............................................................................... 3
Inspector Software Appliance .......................................................................................................... 3
Inspector Diagnostic Tool ................................................................................................................. 3
Network Detective Application ........................................................................................................ 3
Inspector Software Appliance Features ................................................................................................ 4
Network Assessment Network Scan ................................................................................................. 4
Layer 2/3 Discovery of Network Devices (Exclusive to the Inspector) ............................................... 4
Internal Vulnerability Scan (Exclusive to the Inspector) .................................................................... 4
Local Collector Push for Login Anomaly Reporting Scan (Exclusive to the Inspector) ......................... 4
HIPAA Compliance and Risk Assessment Scans................................................................................. 5
PCI Compliance and Risk Assessment Scans ..................................................................................... 5
External Vulnerability Scan .............................................................................................................. 5
Automated Assessment Reporting ................................................................................................... 5
Remote Updating of the Inspector Software Appliance ........................................................................ 5
Automated Scanning and Scheduling Best Practices ................................................................................ 6
Getting Started ........................................................................................................................................ 7
Inspector Software Appliance Deployment Options ............................................................................. 7
Installing the Inspector Software Appliance on Hyper-V ....................................................................... 7
Starting the Inspector Software Appliance on Hyper-V......................................................................... 7
Connecting the Optional Network Detective Hardware Appliance ....................................................... 7
Associating the Inspector Software Appliance to a Site ........................................................................ 8
Step 1 - Creating a New Site ............................................................................................................. 8
Step 2 - Adding an Inspector to a Site ............................................................................................... 9
Creating New Scans ............................................................................................................................... 11
Selecting and Configuring Data Collection Scans Using Inspector ................................................... 14
Network Scan ................................................................................................................................ 14
SQL Server Data Collection............................................................................................................. 22
Local Data Scans ............................................................................................................................ 23
Internal Vulnerability Scan ............................................................................................................. 25
1
Network Detective™
Inspector Software Appliance
Layer 2/3 Discovery and Network Scan .......................................................................................... 31
Local Collector Push Scan for Logon Anomaly Reporting ................................................................ 39
HIPAA Compliance Scans................................................................................................................ 47
PCI Compliance Scans .................................................................................................................... 47
External Vulnerability Scan ............................................................................................................ 49
Managing the Scan Queue ..................................................................................................................... 50
Scheduling a Scan .......................................................................................................................... 53
Scan Task Library versus Scan Tasks Queue ........................................................................................ 54
Cancelling a Scan ............................................................................................................................... 54
Downloading Scans ............................................................................................................................... 55
Configuring the Local Data Scan Merges ................................................................................................ 57
Using the Manage Inspector Appliance Feature to Configure Automatic Report Generation .................. 61
Setting Up Automatic Reports for Network Assessments ................................................................... 61
Setting Up Automatic Reports for Security Assessments .................................................................... 64
Setting Up Automatic Reports for SQL Server Assessments ................................................................ 67
Setting Up Automatic Reports for HIPAA Compliance Assessments .................................................... 70
Setting Up Automatic Reports for PCI Compliance Assessments......................................................... 73
Updating a Software Appliance.............................................................................................................. 76
Appendices............................................................................................................................................ 78
Appendix I ......................................................................................................................................... 78
Inspector Diagnostic Tool ............................................................................................................... 78
2
Network Detective™
Inspector Software Appliance
Overview
The Inspector Software Appliance is an appliance-based system used for performing scheduled IT
assessment scans and deeper dive diagnostics.
This guide is designed to provide an overview and specific steps required to install and configure the
Inspector Software Appliance and schedule the collection of network and security assessment data, SQL
Server assessment data, Internal Network Vulnerability assessment data, Layer2/3 Discovery and
Network assessment data, Local Login Anomaly assessment data, HIPAA Compliance assessment data,
and PCI Compliance assessment data to be used with other Network Detective modules.
Components of the Inspector Software Appliance
Inspector Software Appliance
This is the Inspector software application that operates on either the Network Detective Hardware
Appliance or on a user supplied Microsoft Hyper-V based system.
Optional Network Detective Hardware Appliance
This is an optional hardware component that can be purchased from RapidFire Tools to host and
operate the Inspector Software Appliance. It is a small, portable appliance which plugs into the target
network through an Ethernet connection.
Inspector Diagnostic Tool
This tool is used for configuring and troubleshooting the Inspector. The Diagnostic Tool should be run on
the same network as the Inspector to perform diagnostics checks such as for Inspector connectivity or
for available updates.
Network Detective Application
This is the same Network Detective desktop application and report generator that is used with any other
Network Detective modules. This application contains additional features to manage the Inspector
remotely.
3
Network Detective™
Inspector Software Appliance
Inspector Software Appliance Features
One key purpose of the Inspector is to perform scans from the point-of-view of the client’s internal
network.
Below is an overview of the scans that can be performed by the Inspector Software Appliance.
Network Assessment Network Scan
Note that this feature requires the Network Assessment Module.
The full Network Assessment Scan from the point-of-view of the Inspector Software Appliance. The
resulting scan can be used to generate reports from the Network Assessment module.
Layer 2/3 Discovery of Network Devices (Exclusive to the Inspector)
Run when the Network Assessment Network Scan is executed.
Scans network devices for Layer 2 and Layer 3 connectivity information. The scans are used to generate
Layer 2/3 diagram and detail reports.
Internal Vulnerability Scan (Exclusive to the Inspector)
This scan takes advantage of the point-of-view provided by being connected to the client’s internal
network. Data is collected about Open Ports and Protocol Vulnerability that would be exploited once a
hacker is in the network. The Internal Vulnerability Scan focuses on INSIDE attacking INSIDE whereas
the External Vulnerability scan checks for OUTSIDE attacking EDGE (INSIDE).
Internal vulnerability scans are similar to external vulnerability scans; however, are performed from
inside the target network. They look for vulnerabilities that are normally blocked externally by firewalls.
Within a network, un-patched or vulnerable systems may exist that an external scan may not capture.
This scan option performs a vulnerability scans with additional options which may be more intensive
than the external equivalent. Please be aware that the scans may be resource intensive and should be
run during non-business hours if possible.
Local Collector Push for Login Anomaly Reporting Scan (Exclusive to the Inspector)
This scan gathers information regarding various user logins into the client’s environment. This scan is
used to produce the Login Anomalies report which analyzes the user login data and looks for anomalous
user behavior.
4
Network Detective™
Inspector Software Appliance
HIPAA Compliance and Risk Assessment Scans
Note that this feature requires the HIPAA Assessment Module.
These network and local scans can be scheduled and executed by Inspector in order to identify ePHI,
network vulnerabilities, security vulnerabilities, and local computer vulnerabilities necessary to perform
a HIPAA IT Risk Assessment.
PCI Compliance and Risk Assessment Scans
Note that this feature requires the PCI Assessment Module.
These network and local scans can be scheduled and executed by Inspector in order to identify
credit/debit card Primary Account Number (PAN) data, network vulnerabilities, security vulnerabilities,
and local computer vulnerabilities necessary to perform a PCI Data Security Standard (DSS) Compliance
and IT Risk Assessment.
External Vulnerability Scan
External Vulnerability scans are performed at the external “Network Edge” to check for security holes
and weakness that can help you help make better network security decisions. The External Vulnerability
Scan performed by Inspector includes a full NMap Scan which checks all 65,535 ports and reports which
are open. This is an essential scan and is a standard security check to ensure a viable security policy has
been defined, implemented and maintained to protect the network from outside attacks
Automated Assessment Reporting
Automatic Report Generation enables you to use the Inspector to schedule and generate of a number of
assessment reports associated with the following:





Network Assessments
Security Assessments
SQL Server
HIPAA Compliance Assessments
PCI Compliance Assessments
Remote Updating of the Inspector Software Appliance
The Inspector Software Appliance is easy to update remotely. Updates include bug fixes, new features,
and additional scans types.
5
Network Detective™
Inspector Software Appliance
Automated Scanning and Scheduling Best Practices
It is recommended that Network, Local Computer, External Vulnerability, Layer 2/3 Discovery and
Network, and the Local Collector Push for Login Anomaly Reporting scans are scheduled to be
performed on a weekly basis.
It is recommended that Internal Vulnerability scans are scheduled to be performed on a monthly basis
or after any significant IT infrastructure change has taken place.
6
Network Detective™
Inspector Software Appliance
Getting Started
Inspector Software Appliance Deployment Options
There are two Inspector Software Appliance deployment options available to users:


Inspector Software Appliance deployment on a user owned and operated Hyper-V base system
Inspector Software Appliance deployment on the Network Detective Hardware Appliance
Installing the Inspector Software Appliance on Hyper-V
Please refer to the Virtual Appliance Installation Guide.
Starting the Inspector Software Appliance on Hyper-V
Start the Inspector Software Appliance on the Hyper-V based system. Take note of the Inspector
Appliance ID which will be required when you Associate the Inspector Software Appliance with your
Assessment Project.
Connecting the Optional Network Detective Hardware Appliance
To set up the Network Detective Hardware Appliance used to operate the Inspector Software Appliance,
first go to the physical location of the target network. After finding a secure location for the device,
connecting it to the network can be accomplished in two easy steps:
7
Network Detective™
Inspector Software Appliance
Associating the Inspector Software Appliance to a Site
Before using the Inspector Software Appliance, the Inspector must be associated with a Site in the
Network Detective Application.
Step 1 - Creating a New Site
If you have not yet added any Sites, open the Network Detective Application and navigate to New Site
from the Home screen.
Define a name for the Site. This should be unique and easily identifiable, such as the customer name or
physical location.
8
Network Detective™
Inspector Software Appliance
Step 2 - Adding an Inspector to a Site
Adding an Inspector to a Site
After starting a new assessment, or within an existing assessment, in order to “Associate” an Inspector
Software Appliance with the Assessment Project, you must first select the V symbol to expand the
assessment properties view.
This action will expand the Assessment’s properties for you to view and to add a Software Appliance to
the Assessment.
To add an Appliance to an Assessment, from the Assessment Window select the Appliance button,
then the Appliances Add button as noted above.
Select the Appliance ID of the Appliance from the drop down menu. Note: When users have purchased
a Network Detective Hardware Appliance, the Appliance ID can be found on a printed label on the
Hardware Appliance itself.
9
Network Detective™
Inspector Software Appliance
After successfully adding an Appliance it will appear under the Appliance bar in the Assessment
Window.
To view a list of all Appliances and their associated Sites, navigate to the Appliance tab from the top bar
of the Network Detective Home screen. This will show a summary of all Appliances, their activity status,
and other useful information.
To return to the Site that you are using to perform your assessment, click on Home above and select the
Site that you are using to perform your assessment.
10
Network Detective™
Inspector Software Appliance
Creating New Scans
After associating an Appliance with a customer specific Site used for performing assessments, it is very
simple to configure Network Scans, Local Computer Scans, Internal Vulnerability Scans, Layer 2/3
Discovery and Network, and the Local Push Collector for Login Anomaly Reporting Scans using the
Inspector Software Appliance remotely from within the Network Detective desktop application.
With the Inspector Software Appliance, it is only necessary to go through the configuration and setup of
a Network Scan one time. After completing the setup, the Scan configurations will be stored and
associated with the Inspector Software Appliance to be run either on-demand or on a set schedule.
To set up a scan, first, go to the target Site’s Assessment Window and verify that an Inspector has been
successfully associated with the Site.
The Inspector(s) will appear under the Appliances bar.
If the Site does not already have an active Assessment, start a new Assessment by clicking Start and
following the prompts to choose the desired type of Assessment.
If an active Assessment is underway and available, the Assessment will be presented when the Site file
is opened.
11
Network Detective™
Inspector Software Appliance
Upon selecting the Active Assessment, you will be directed to the assessment’s Assessment Window.
From the Site’s active Assessment, select Initiate Appliance Scan from the Scans bar.
The Manage Appliance Tasks window will be displayed enabling you to select the IT or Compliance
Assessment scan you want to perform, configure the scan task, and to store the scan task in the
Inspector Task Library for either manual or scheduled execution.
12
Network Detective™
Inspector Software Appliance
If this is the first time a Scan has been initiated from the Inspector Software Appliance, follow the
Network Detective Data Collector’s Create Task prompts to configure the Scan.
13
Network Detective™
Inspector Software Appliance
Selecting and Configuring Data Collection Scans Using Inspector
Below is an overview of the scans that can be set-up and performed using the Inspector Software
Appliance and the steps to set-up the scans to be performed automatically or manually.
Network Scan
Note that the Network Assessment Reports are only available as part of the Network Assessment
module.
Step 1: Initiate Appliance Scan
From the Site’s active Assessment, select Initiate Appliance Scan from the Import Scans bar.
The Manage Appliance Tasks window will be displayed enabling you to select the IT or Compliance
Assessment Scan you want to perform, configure the scan task, and to store the scan task in the
Inspector Task Library for either manual or scheduled execution.
14
Network Detective™
Inspector Software Appliance
Step 2: Select Scan Type
Choose Network Scan from the wizard and click the Next button.
15
Network Detective™
Inspector Software Appliance
Step 3: Input Credentials
Input administrative credentials to access the Domain Controller or indicate that the target network
does not contain a Domain Controller.
Step 4: Select Local Domains
Choose either to scan all Domains detected on the target network or to restrict the Scan to selected
Organizational Units (OUs) and Domains.
16
Network Detective™
Inspector Software Appliance
Step 5: Input External Domains
External Domain names allow others to visit the target site and facilitate services, such as email. Input
External Domains here to include them as part of the data collection.
Examples of External Domains include:


example.com
mycompany.biz
Step 6: Specify IP Ranges
17
Network Detective™
Inspector Software Appliance
The IP ranges from the target network will be auto-detected and included in the scan. To include
additional subnets input them here.
Step 7: Add SNMP Information
By default, the software will retrieve data from devices with the community string “public.” If desired,
define an additional community string (such as “private”) and enter it here.
Step 8: Use MBSA
Check Run MBSA to perform a weak password check. Check Include Patch Analysis to gather
information on missing patches (this second option will increase the time required to perform the scan).
18
Network Detective™
Inspector Software Appliance
Step 9: Verify and Schedule
Check Send an email notification when schedule completes to notify a desire address upon completion
of the scan. This option is recommended as the time a scan takes to complete varies depending on the
target network.
Click on the Finish button to complete the scheduling of the Network Scan task which will display the
Appliance Tasks and Queue window.
The scheduled Network Scan can be confirmed in the Appliance Tasks and Queue window that is
displayed in the Task Library list referenced below.
19
Network Detective™
Inspector Software Appliance
Upon viewing the scan task, you can select the “run now” option link under the Queue column to
initiate the scan which will place the scan into the Queued Tasks list.
Or, you can click on schedule link to execute the scan sometime in the future by selecting the interval
(daily, weekly, monthly, annually, or just once) option and the time that the scan should be scheduled to
run.
When you click the schedule link, The CRON Builder scheduler window is displayed and is used to set
the schedule action’s execution time. Please note that the time zone used for the CRON Builder time is
Eastern Standard Time (EST).
20
Network Detective™
Inspector Software Appliance
Note the Pending task present in the Queued Task list after the Run Now option has been selected for
the Network Scan in the window below.
21
Network Detective™
Inspector Software Appliance
SQL Server Data Collection
To create this scan task, perform the following steps:
1. Select the Scan Type SQL Server Collection.
2. Follow the prompts to set-up the Credentials for the SQL Servers being assessed.
3. Verify the settings and Schedule the Scan.
Note that the SQL Server Module’s Assessment Reports are only available as part of the SQL Server
Module subscription.
22
Network Detective™
Inspector Software Appliance
Local Data Scans
Configuring Network Local Collection Push Scan
1. Select the Network Local Collection Push scan to perform a network scan on remote computers.
2. Follow the prompts to set-up the Credentials and Remote Computer IP Addresses for the
equipment being scanned.
3. Verify the settings and schedule the scan.
Configuring Security Local Collector Push Scan
1. Select the Security Local Collector Push Scan to perform a security scan on remote computers.
23
Network Detective™
Inspector Software Appliance
2. Follow the prompts to set-up the Credentials and Remote Computer IP Addresses for the
equipment being scanned.
3. Verify the settings and schedule the scan.
24
Network Detective™
Inspector Software Appliance
Internal Vulnerability Scan
The Internal Vulnerability Scan is an exclusive feature available through the Inspector.
Step 1: Initiate Appliance Scan
From the Site’s active Assessment, select Initiate Appliance Scan from the Scans bar.
The Manage Appliance Tasks window will be displayed enabling you to select the IT or compliance
Assessment scan you want to perform, configure the scan task, and to store the scan task in the
Inspector Task Library for either manual or scheduled execution.
25
Network Detective™
Inspector Software Appliance
If this is the first time a Scan has been initiated from the Inspector appliance, follow the Network
Detective Data Collector Create Task Wizard prompts to configure the Scan.
Step 2: Select Scan Type
Choose Internal Vulnerability Scan from the wizard and click Next. The Ports to Scan window will be
displayed.
26
Network Detective™
Inspector Software Appliance
Step 3: Specify Ports to Scan
When the Ports to Scan window is displayed.
The Ports to Scan setup option allows you to select one of two available scanning options. One option,
referenced as the Standard Scan, is used to scan Standard TCP ports and Top 1000 UDP ports. The
second option, referenced as the Comprehensive Scan, is used to execute a comprehensive scan of all
TCP ports and Top 1000 UDP ports.
To proceed, select the appropriate number of ports to scan for your assessment’s purposes. Then select
the Next button. The IP Ranges screen will be displayed.
Step 4: Specify IP Ranges
At this point the Inspector appliance will perform Auto-Detect to identify an IP address range that can
be scanned. Alternatively, you can manually set the IP address range that you would like to scan during
the scheduled internal vulnerability scan.
IMPORTANT: THE AUTO-DETECT FEATURE WILL IDENTIFY THE IP RANGE OF THE INTERNAL SUBNET
THAT IS FROM THE INSPECTOR.
THIS COULD RESULT IN A SUBSTANTIALLY LARGER NUMBER OF IP ADDRESSES THAT WILL BE SCANNED
VERSES THE ACTUAL NUMBER OF WORKSTATIONS, SERVERS, AND OTHER IP-BASED NETWORK
COMPONENTS WHICH COULD BE A FAR SMALLER NUMBER.
27
Network Detective™
Inspector Software Appliance
IF THIS INTERNAL VULNERABILTIY SCAN IS CONFIGUED TO INTERROGATE A LARGE NUMBER OF IP
ADDRESSES THAT ARE NOT USED BY ANY DEVICE, THE VULNERABILITY SCAN MAY RESULT IN TAKING
AN EXPONENTIALLY LONGER TIME THAN NECESSARY.
Define the IP Range that you would like to scan and select Next button.
The Create Task - Verify and Schedule window will be displayed.
Step 5: Verify and Schedule Scan Task
After the Create Task - Verify and Schedule window is displayed you can finalize the creation of the scan
task.
28
Network Detective™
Inspector Software Appliance
To have an Email Notification sent to you when the scan task completes, select the Send email
notification when schedule completes option, and type in the email address where the notification
should be sent.
Click on the Finish button to complete the scheduling of the internal vulnerability scan task which will
display the Appliance Tasks and Queue window.
The scheduled internal vulnerability scan can be confirmed in the Appliance Tasks and Queue window
that is displayed in the Task Library list referenced below.
Upon viewing the scan task, you can select the “run now” option link under the Queue column to
initiate the scan which will place the scan into the Queued Tasks list.
Or, you can click on schedule link to execute the scan sometime in the future by selecting the interval
(daily, weekly, monthly, annually, or just once) option and the time that the scan should be scheduled to
run.
29
Network Detective™
Inspector Software Appliance
When you click the schedule link, The CRON Builder scheduler window is displayed and is used to set
the schedule action’s execution time. Please note that the time zone used for the CRON Builder time is
Eastern Standard Time (EST).
Note the Pending task present in the Queued Task list after the Run Now option has been selected for
the Vulnerability Scan in the window below.
30
Network Detective™
Inspector Software Appliance
Layer 2/3 Discovery and Network Scan
The Layer 2/3 Discovery and Network Scan is an exclusive feature available through the Inspector.
Step 1: Initiate Appliance Scan
From the Site’s active Assessment, select Initiate Appliance Scan from the Scans bar.
The Manage Appliance Tasks window will be displayed enabling you to select the IT or Compliance
Assessment scan you want to perform, configure the scan task, and to store the scan task in the
Inspector Task Library for either manual or scheduled execution.
31
Network Detective™
Inspector Software Appliance
If this is the first time a Scan has been initiated from the Inspector appliance, follow the Network
Detective Data Collector prompts to configure the Scan
Step 2: Select Scan Type
Within the Assessment window, select the scan you are performing.
Choose Layer 2/3 Discovery Network Scan from the wizard and click the Next button.
32
Network Detective™
Inspector Software Appliance
Step 3: Input Credentials
Input administrative credentials to access the Domain Controller or indicate that the target network
does not contain a Domain Controller.
Step 4: Select Local Domains
Choose either to scan all Domains detected on the target network or to restrict the Scan to selected
Organizational Units (OUs) and Domains.
33
Network Detective™
Inspector Software Appliance
Step 5: Input External Domains
External Domain names allow others to visit the target site and facilitate services, such as email.
Input External Domains here to include them as part of the data collection. Then select the Next button
to continue.
Examples of External Domains include:
 example.com
 mycompany.biz
34
Network Detective™
Inspector Software Appliance
Step 6: Specify IP Ranges
The IP ranges from the target network will be auto-detected and included in the scan. To include
additional subnets input them here. Then select the Next button to continue.
Step 7: Add SNMP Information
By default, the software will retrieve data from devices with the community string “public.” If desired,
define an additional community string (such as “private”) and enter it here. Then select the Next button
to continue.
35
Network Detective™
Inspector Software Appliance
Step 8: Use MBSA
Check Run MBSA to perform a weak password check. Check Include Patch Analysis to gather
information on missing patches (this second option will increase the time required to perform the scan).
Step 9: Verify and Schedule
Check Send an email notification when schedule completes to notify a desire address upon completion
of the scan. This option is recommended as the time a scan takes to complete varies depending on the
target network.
36
Network Detective™
Inspector Software Appliance
Click on the Finish button to complete the scheduling of the Configuring the Layer 2/3 Discovery
Network Scan task which will display the Appliance Tasks and Queue window.
The scheduled internal vulnerability scan can be confirmed in the Appliance Tasks and Queue window
that is displayed in the Task Library list referenced below.
Upon viewing the scan task, you can select the “run now” option link under the Queue column to
initiate the scan which will place the scan into the Queued Tasks list.
Or, you can click on schedule link to execute the scan sometime in the future by selecting the interval
(daily, weekly, monthly, annually, or just once) option and the time that the scan should be scheduled to
run.
37
Network Detective™
Inspector Software Appliance
When you click the schedule link, The CRON Builder scheduler window is displayed and is used to set
the schedule action’s execution time. Please note that the time zone used for the CRON Builder time is
Eastern Standard Time (EST).
Note the Pending task present in the Queued Task list after the Run Now option has been selected for
the Layer 2/3 Discovery Network Scan in the window below.
38
Network Detective™
Inspector Software Appliance
Local Collector Push Scan for Logon Anomaly Reporting
The Local Collector Push Scan for Logon Anomaly Reporting is an exclusive feature available through the
Inspector.
Step 1: Initiate Appliance Scan
From the Site’s active Assessment, select Initiate Appliance Scan from the Scans bar.
The Manage Appliance Tasks window will be displayed enabling you to select the IT or Compliance
Assessment Scan you want to perform, configure the scan task, and to store the scan task in the
Inspector Task Library for either manual or scheduled execution.
39
Network Detective™
Inspector Software Appliance
If this is the first time a Scan has been initiated from the Inspector appliance, follow the Network
Detective Data Collector prompts to configure the Scan
Step 2: Select Scan Type
Choose Local Collector Push for Logon Anomaly Reporting Scan from the wizard and click the Next
button.
40
Network Detective™
Inspector Software Appliance
Step 3: Input Credentials
Input administrative credentials to access the Domain Controller or indicate that the target network
does not contain a Domain Controller. Then select the Next button to continue.
Step 4: Select Local Domains
Choose either to scan all Domains detected on the target network or to restrict the Scan to selected
Organizational Units (OUs) and Domains. Then select the Next button to continue.
41
Network Detective™
Inspector Software Appliance
Step 5: Input External Domains
External Domain names allow others to visit the target site and facilitate services, such as email. Input
External Domains here to include them as part of the data collection. Then select the Next button to
continue.
Examples of External Domains include:
 example.com
 mycompany.biz
Step 6: Specify IP Ranges
42
Network Detective™
Inspector Software Appliance
The IP ranges from the target network will be auto-detected and included in the scan. To include
additional subnets input them here. Then select the Next button to continue.
Step 7: Add SNMP Information
By default, the software will retrieve data from devices with the community string “public.” If desired,
define an additional community string (such as “private”) and enter it here. Then select the Next button
to continue.
Step 8: Use MBSA
43
Network Detective™
Inspector Software Appliance
Check Run MBSA to perform a weak password check. Check Include Patch Analysis to gather
information on missing patches (this second option will increase the time required to perform the scan).
Then select the Next button to continue.
Step 9: Verify and Schedule
Check Send an email notification when schedule completes to notify a desire address upon completion
of the scan. This option is recommended as the time a scan takes to complete varies depending on the
target network.
Click on the Finish button to complete the scheduling of the Local Collector Push for Logon Anomaly
Reporting Scan task which will display the Appliance Tasks and Queue window.
The scheduled Local Collector Push for Logon Anomaly Reporting scan can be confirmed in the
Appliance Tasks and Queue window that is displayed in the Task Library list referenced below.
44
Network Detective™
Inspector Software Appliance
Upon viewing the scan task, you can select the “run now” option link under the Queue column to
initiate the scan which will place the scan into the Queued Tasks list.
Or, you can click on schedule link to execute the scan sometime in the future by selecting the interval
(daily, weekly, monthly, annually, or just once) option and the time that the scan should be scheduled to
run.
When you click the schedule link, The CRON Builder scheduler window is displayed and is used to set
the schedule action’s execution time. Please note that the time zone used for the CRON Builder time is
Eastern Standard Time (EST).
Note the Pending task present in the Queued Task list after the Run Now option has been selected for
the Local Collector Push for Logon Anomaly Reporting Scan in the window below.
45
Network Detective™
Inspector Software Appliance
46
Network Detective™
Inspector Software Appliance
HIPAA Compliance Scans
To learn more about how to configure the scans related to a HIPAA Compliance Assessment, please
refer to the HIPAA Module with Inspector User Guide.
Note that the HIPAA Module’s Assessment Reports are only available as part of the HIPAA Module
subscription.
PCI Compliance Scans
To learn more about how to configure the scans related to a PCI Compliance Assessment, please refer to
the PCI Module with Inspector User Guide.
47
Network Detective™
Inspector Software Appliance
Note that the PCI Module’s Assessment Reports are only available as part of the PCI Module subscription.
48
Network Detective™
Inspector Software Appliance
External Vulnerability Scan
To create this scan task, perform the following steps:
1. Choose External Scans Scan Type from the wizard and click the Next button.
2. Select the Scan Type External Vulnerability Scan.
2. Follow the prompts to set-up the IP Addresses of the equipment/network being scanned.
3. Verify the settings and Schedule the Scan.
49
Network Detective™
Inspector Software Appliance
Managing the Scan Queue
After going through the steps to Associate the Software Appliance with a Site and configuring Network
Scans and storing them in the Task Library, it is a simple process to run either an immediate or
scheduled Data Collection on the target network. Note that the Scan configuration process must only be
completed one time and the resulting configuration will be stored for future use. This simplifies both
automate and remote execution of Data Collections.
To view the Scan Queue, first associate your Appliance with a Site. Then navigate to the target Site’s
Assessment Window.
After starting a new assessment, or within an existing assessment, in order to “Manage” an Appliance
within the Assessment Project, you must first select the V symbol to expand the assessment properties
view.
This action will expand the Assessment’s properties for you to view and to add an Appliance to the
Assessment.
Under the Appliances bar in the Active Assessment window select the Manage button. This will bring up
the Manage Appliance window and present the Task Library and the Queued Tasks.
50
Network Detective™
Inspector Software Appliance
Running a Scan On-Demand
Scans can be executed immediately through the use of the Run Now feature.
To run a Scan configuration, locate the task in the Task Library and select run now.
51
Network Detective™
Inspector Software Appliance
After the task has been queued, it will run as soon as resources are available. A Scan that is run ondemand (i.e. instead of on a schedule) will have no value in the table under the Next Run column.
52
Network Detective™
Inspector Software Appliance
Scheduling a Scan
To schedule a scan, select the Schedule option available within a Scan Task listed within the Task
Library.
To run a Scan configuration on a regular basis or at a future date, locate the Scan in the Task Library and
select schedule. This will bring up the CRON Builder.
Choose a date, time, or other periodic range from the drop-downs in the CRON Builder. Please note
that the time zone used for the CRON Builder time is Eastern Standard Time (EST).
After selecting a time frame, the scans will be executed according to the given schedule. Please be
aware that only one scan of a particular type can execute on the Inspector appliance at a time.
53
Network Detective™
Inspector Software Appliance
After the schedule is set, the table entry for the Scan in Queued Tasks will display the next run time and
whether or not the scan will repeat the schedule.
Please be aware that the scans may be intensive and should be run during non-business hours if possible.
Scan Task Library versus Scan Tasks Queue
The Scan Task Library contains saved Scan configurations which can be run on demand or on a schedule
to conduct Network Scans. The advantage of the Scan Task Library is that the Network Scan
configurations can be reused and run on-demand or on a schedule. There is no need to repeatedly enter
the same information (such as the domain controller password or the IP Range) each time a data
collection is performed using this model. The scans Tasks Queue lists the scans that are pending.
Cancelling a Scan
After the Site has been opened, select the V to expand the Assessment window to view any appliances
associated with the site.
Then select the Manage option present above the Appliance Status bar.
The Manage Inspector window will be displayed.
Then view the Queued Tasks located within the Manage Appliance window.
54
Network Detective™
Inspector Software Appliance
From Queued Tasks, click the Delete button for the Scan. This will only delete the Scan from the Queue
so it will not be run until it has been re-scheduled. The Scan configuration will still be stored in the Task
Library.
Downloading Scans
Successfully completed Network Scans are immediately available to download through the Network
Detective Application. After downloading these Scan files, they can be used to explore data or generate
reports as needed.
First, go to the Active Assessment of the Site associated with the Appliance. From the Assessment
Window, select Download Scans from the Scans bar.
55
Network Detective™
Inspector Software Appliance
All available Scans which have not yet been downloaded will be shown in a list. Check the desired Scans
and choose Download Selected or select Download All to receive all Scans.
After being successfully downloaded, Scans will immediately be displayed under the Scans bar and
available for data exploration or report generation.
56
Network Detective™
Inspector Software Appliance
Configuring the Local Data Scan Merges
When local scans are performed by the Appliance, they can be merged into a particular domain data
set. The Configuration of Local Scan Merges feature allows you to select which method you prefer to
use when merging local scans.
This setting will impact Alerts, Bulletins, and Automated Report Generation.
To select the process to be used by the Appliance to Merge any Local Scan Data into a primary domain
data set, perform the following steps.
Step 1 – Select the Site
Double click your mouse pointer on the Site that you are configuring automated scan and reports to be
performed upon in order to view and access the Site.
57
Network Detective™
Inspector Software Appliance
Step 2 – Select Manage Appliance
After the Site has been opened, select the V to expand the Assessment window to view any appliances
associated with the site.
Then select the Manage option present above the Appliance Status bar.
The Manage Inspector window will be displayed.
58
Network Detective™
Inspector Software Appliance
Step 3 – Set Scan Data Merge Configuration
Select the Configuration tab in the Manage Inspector Window to view the Local Scan Merge settings.
59
Network Detective™
Inspector Software Appliance
Step 4 – Set the Local Scan Merge Settings
Select the preferred Local Scan Merge method, or select, Do Not Merge Local Scans.
Then select the Save and Close button to store the data merge settings.
60
Network Detective™
Inspector Software Appliance
Using the Manage Inspector Appliance Feature to Configure
Automatic Report Generation
Below is an overview of the steps required to setup Automatic Report Generation for the following
Assessment types:





Network Assessments
Security Assessments
SQL Server Assessments
HIPAA Compliance Assessments
PCI Compliance Assessments
Setting Up Automatic Reports for Network Assessments
Automatic report generation for the Network Assessment Module requires that the scans be run on an
Inspector before a report can be generated. Following are the steps necessary to set up automatically
generated reports for the Network Assessment Module:
1. Create a new assessment that is of the type Network Assessment. Associate your Inspector
with the Site that this new Assessment is created.
2. Manage the Inspector and create a new Scan Task that collects the Network Assessment
data.
61
Network Detective™
3.
Inspector Software Appliance
After the scan task is created, Schedule the scan task for the times that are appropriate for
this Assessment.
4. Using the Manage Inspector feature and the Task Library Window, create a Report Task
that specifies desired reports from the Network Assessment Module. Keep in mind that
reports for specific Assessment types can only be produced after the Scans required for a
specific Assessment type have been performed.
5. Schedule the created Report Task for a time which is certain to be after the scan is
complete. Reports will use whatever data is on the Inspector based on the most recent scan
that has been completed, so if the scan is not complete then the reports will not have the
most recent scan’s data either.
6. If the user has specified that reports be delivered by email, the specified email should
receive an email with a .zip file of the reports attached as long as the zip file is less than 5
MB in size.
7. Report generation can take several minutes. After sufficient time has passed after the
report generation task schedule, view the generated reports by navigating to the Download
Reports item on the left hand side of the Network Detective application. The Download
Inspector Reports option will appear at the top of the Network Detective window. Then
62
Network Detective™
Inspector Software Appliance
press the Download Inspector Reports button at the top. A dialog will appear with reports
generated by the Inspector.
8. Select and right click on a report to download the report.
63
Network Detective™
Inspector Software Appliance
Setting Up Automatic Reports for Security Assessments
Automatic report generation for the Security Assessment Module requires that the scans be run on an
Inspector before a report can be generated. Following are the steps necessary to set up automatically
generated reports for the Security Assessment Module:
1. Create a new assessment that is of the type Security Assessment.
2. Associate your Inspector with the Site that this new Assessment is created.
3. Manage the Inspector and create a new Scan Task that collects the Security Assessment
data.
4. Schedule the Scan Task for the times that are appropriate for this Assessment.
5. Using the Manage Inspector feature and the Task Library Window, create a Report Task
that specifies desired reports from the Security Assessment Module. Keep in mind that
reports for specific Assessment types can only be produced after the Scans required for a
specific Assessment type have been performed.
64
Network Detective™
Inspector Software Appliance
6. Schedule the created Report Task for a time which is certain to be after the scan is
complete. Reports will use whatever data is on the Inspector based on the most recent scan
that has been completed, so if the scan is not complete then the reports will not have the
most recent scan’s data either.
7. If the user has specified that reports be delivered by email, the specified email should
receive an email with a .zip file of the reports attached as long as the zip file is less than 5
MB in size.
8. Report generation can take several minutes. After sufficient time has passed after the
report generation task schedule time, view the generated reports by navigating to the
Download Reports item on the left hand side of the Network Detective application. The
Download Inspector Reports option will appear at the top of the Network Detective
window. Then press the Download Inspector Reports button at the top. A dialog will appear
with reports generated by the Inspector.
65
Network Detective™
Inspector Software Appliance
9. Select and right click on a report to download the report.
66
Network Detective™
Inspector Software Appliance
Setting Up Automatic Reports for SQL Server Assessments
Automatic report generation for the SQL Server Assessment Module requires that the scans be run on
an Inspector before a report can be generated. Following are the steps necessary to set up
automatically generated reports for the SQL Server Assessment Module:
1. Create a new assessment that is of the type SQL Server Assessment.
2. Associate your Inspector with the Site that this new Assessment is created.
3. Manage the Inspector and create a new Scan Task that collects the SQL Server Assessment
data.
4. Schedule the Scan Task for the times that are appropriate for this Assessment.
5. Using the Manage Inspector feature and the Task Library Window, create a Report Task
that specifies desired reports from the SQL Server Assessment Module. Keep in mind that
reports for specific Assessment types can only be produced after the Scans required for a
specific Assessment type have been performed.
67
Network Detective™
Inspector Software Appliance
6. Schedule the created Report Task for a time which is certain to be after the scan is
complete. Reports will use whatever data is on the Inspector based on the most recent
scan that has been completed, so if the scan is not complete then the reports will not have
the most recent scan’s data either.
7. If the user has specified that reports be delivered by email, the specified email should
receive an email with a .zip file of the reports attached as long as the zip file is less than 5
MB in size.
8. Report generation can take several minutes. After sufficient time has passed after the
report generation task schedule time, view the generated reports by navigating to the
Download Reports item on the left hand side of the Network Detective application. The
Download Inspector Reports option will appear at the top of the Network Detective
window. Then press the Download Inspector Reports button at the top. A dialog will
appear with reports generated by the Inspector.
68
Network Detective™
Inspector Software Appliance
9. Select and right click on a report to download the report.
69
Network Detective™
Inspector Software Appliance
Setting Up Automatic Reports for HIPAA Compliance Assessments
Automatic report generation for the HIPAA Compliance Module requires that a full assessment that
includes scans, worksheets and surveys be completed and synced with the Inspector Software
Appliance before reports can be generated.
This is the only way for user completed forms to be transferred to the Inspector.
Once the assessment is complete and synced, new scans can be run on an Inspector and new reports be
generated with the previously specified Inform-based Survey and Worksheet data. Following are the
steps necessary to set up automatically generated reports for the HIPAA Compliance Module:
1. Using Network Detective, create a new assessment that is of the type HIPAA Risk
Assessment.
2. Associate your Inspector Software Appliance with the Site that this new HIPAA Assessment
is created within.
3. Complete all the requirements for a successful HIPAA Risk Assessment within this new
assessment. This includes external scans, network scans, local scans, and all appropriate
inform-based Surveys and Worksheets. When this step is complete the user should be able
to generate all HIPAA reports. The user is free to use the Inspector during this initiate HIPAA
Assessment to gather the scan information as appropriate.
4. Once satisfied with a complete HIPAA assessment, press the “Finish” button. Confirm that
you wish to upload the data to the Inspector to be used with automatic report generation.
5. Start a new Assessment that is of the type HIPAA Risk Assessment
6. On the Create New Assessment Wizard Screen, select the checkbox to sync the assessment
to the Inspector.
70
Network Detective™
Inspector Software Appliance
7. Manage the Inspector and set up a task schedule or schedules for collecting data as desired.
8. Schedule the created Report Task for a time which is certain to be after the scan is
complete. Reports will use whatever data is on the Inspector based on the most recent scan
that has been completed, so if the scan is not complete then the reports will not have the
most recent scan’s data either. Keep in mind that reports for specific Assessment types can
only be produced after the Scans required for a specific Assessment type have been
performed.
9. If the user has specified that reports be delivered by email, the specified email should
receive an email with a .zip file of the reports attached as long as the zip file is less than 5
MB in size.
10. Report generation can take several minutes. After sufficient time has passed after the
report generation task schedule, view the generated reports by navigating to the Download
Reports item on the left hand side of the Network Detective application. The Download
Inspector Reports option will appear at the top of the Network Detective window. Then
press the Download Inspector Reports button at the top. A dialog will appear with reports
generated by the Inspector.
11. Select and right click on a report to download the report.
12. If an “Exception Report” is present in the available reports, or was contained in the .zip file
sent in the notification email OR if you feel that data in the generated report is using data
from an inform-based worksheet or survey that is outdated:
71
Network Detective™
Inspector Software Appliance
a. Note any missing elements present in the Exception report (if present)
b. Update Inform forms in currently active Assessment to reflect that data desired.
c. If current Informs do not contain the topics that are noted as missing:
i. Press the “Finish” button for the currently active Assessment.
ii. DO NOT agree to the question which asks if you would like to sync the data
to the Inspector.
iii. Start a new active Assessment. Check the checkbox which says “Sync with
latest Inspector scan”
iv. New assessment with latest data from Inspector will be created. Update
Inform as appropriate.
d. Press “Finish” button for currently active Assessment
e. DO agree to sync the data to the Inspector.
f.
Then return to step 5 above.
72
Network Detective™
Inspector Software Appliance
Setting Up Automatic Reports for PCI Compliance Assessments
Automatic report generation for the PCI Compliance Module requires that a full assessment that
includes scans, worksheets and surveys be completed and synced with the Inspector before reports can
be generated.
This is the only way for user completed forms to be transferred to the Inspector. Once the assessment is
complete and synced, new scans can be run on an Inspector and new reports be generated with the
previously specified Inform-based Survey and Worksheet data.
Following are the steps necessary to set up automatically generated reports for the PCI Compliance
Module:
1. Using Network Detective, create a new assessment that is of the type PCI Risk Assessment.
2. Associate your Inspector with the Site that this new PCI Assessment is created.
3. Complete all the requirements for a successful PCI Risk Assessment within this new
assessment. This includes external scans, network scans, local scans, and all appropriate
inform-based surveys and worksheets. When this step is complete the user should be able
to generate all PCI reports. The user is free to use the Inspector during this initial PCI
Assessment to gather the scan information as appropriate.
4. Once satisfied with a complete assessment, press the “Finish” button. Confirm that you
wish to upload the data to the Inspector to be used with automatic report generation.
5. Start a new Assessment that is of the type PCI Risk Assessment.
6. On the Create New Assessment Wizard Screen, select the checkbox to sync the assessment
to the Inspector.
73
Network Detective™
Inspector Software Appliance
7. Manage the Inspector and set up a task schedule or schedules for collecting data as desired.
8. Manage the Inspector and set up reporting tasks for times that are certain to be not when
the data collection tasks are running. Keep in mind that reports for specific Assessment
types can only be produced after the Scans required for a specific Assessment type have
been performed.
9. If the user has specified that reports be delivered by mail, the specified email should receive
an email with a zip of the reports attached as long as the zip file is less than 5 MB in size.
10. Report generation can take several minutes. After sufficient time has passed after the
report generation task schedule, view the generated reports by navigating to the Download
Reports item on the left hand side, and press the Download Inspector Reports button at the
top. A dialog will appear with reports generated by the Inspector.
11. Select and right click on a report to download the report.
12. If an “Exception Report” is present in the available reports, or was contained in the zip sent
in the notification email OR if you feel that data in the generated report is using data from
an inform-based worksheet or survey that is outdated:
a. Note any missing elements present in the Exception report (if present)
b. Update Inform forms in currently active Assessment to reflect that data desired.
c. If current Informs do not contain the topics that are noted as missing:
74
Network Detective™
Inspector Software Appliance
i. Press the “Finish” button for the currently active Assessment.
ii. DO NOT agree to the question which asks if you would like to sync the data
to the Inspector.
iii. Start a new active Assessment. Check the checkbox which says “Sync with
latest Inspector scan”
iv. New assessment with latest data from Inspector will be created. Update
Inform as appropriate.
d. Press “Finish” button for currently active Assessment
e. DO agree to sync the data to the Inspector.
Then return to step 5 above.
75
Network Detective™
Inspector Software Appliance
Updating a Software Appliance
After installing a Software Appliance at the Site’s physical location and associating the Software
Appliance with a Site in the Network Detective Application, it’s important to regularly update the
Appliance to get the most out of the features available on the Software Appliance you are using which
may include one or more of the following Data Collections, Automated Reports, Tech-Alerts, and
Security Bulletins.
In the Network Detective Application, navigate to Network Detective ribbon bar and select the
Appliances icon.
This action will display the Software Appliances window that lists all of the Appliances that are available
for use within Network Detective.
To update the selected Software Appliance, right click on the Appliance’s name, and select the Update
menu option presented as displayed below.
76
Network Detective™
Inspector Software Appliance
Note that the Update menu will only be visible if software updates are available.
IMPORTANT: The Appliance Update Now feature, when activated to update the Software Appliance,
will shut down any tasks that are currently running on the Software Appliance. Before updating the
Software Appliance, either stop a currently running task listed in the Task Library window Queued
Tasks list, or perform the update after running tasks are completed.
A dialog will appear confirming the request for a software update.
77
Network Detective™
Inspector Software Appliance
Appendices
Appendix I
Inspector Diagnostic Tool
The Diagnostic Tool is used to gather relevant diagnostic information, test connectivity, manage
updates, and allow remote support to the Inspector appliance.
78
Network Detective™
Inspector Software Appliance
Available Commands
There are a number of commands available within the Appliance Manager.
Location and Information
Locate Network Detective Appliance
Re-initialize the Inspector discovery process and attempts to retrieve the Device ID number and other
diagnostic information.
Get Appliance Device ID
Display the Inspector Appliance’s Device ID, used when associating the Inspector Appliance with a Site in
the Network Detective Application.
Diagnostics and Troubleshooting
Appliance Diagnostics
Queries the Inspector for diagnostic information used to verify running status, software, connectivity,
and NIC Information.
Ping Test from Appliance
Performs a ping test directed at a specified host or IP address from the point of view of the Inspector
itself.
Note: network connectivity is required for the Inspector to operate properly.
Get Log Files
Retrieves diagnostics logs from the Inspector. Returns a link to download a .zip file containing run log
information which may be used for further troubleshooting.
Service Control
Appliance Service Status
Queries the Inspector to return its current status. The possible statuses are as follows:



Idle: The device is online, but performing no action.
Queued: The device is online and performing no action. A schedule is active and queued to run.
Running: The device is online and currently running a schedule.
Appliance Service Restart
Requests a Service Restart from the Inspector. Exercise caution when using this command because it
may interrupt any running Scan.
Updating via USB
Update Appliance via USB
Requests the Inspector to update via USB. Attempts to detect a USB device. If a USB device is detected
containing the necessary files is found to be connected to the Inspector an update will be performed.
79
Network Detective™
Inspector Software Appliance
Please ensure that a USB stick containing the update is plugged into the USB port of the Inspector
appliance.
Check USB Update Status
Returns the current status of a running update. Also attempts to detect any USB device with available
updates.
Remote Assistance
Toggle Remote Assistance Status
Instructs the Inspector to make itself available for Remote Assistance and to allow a technician to access
the device for support.
Check Remote Assistance Status
Return the current status of Remote Assistance.
Shutdown and Restart
Restarts the Inspector Appliance.
Shutdown Appliance
Shuts down the Inspector Appliance.
80